SECTION 15 INFORMATION TECHNOLOGY

Transcription

1 SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP)

2 15.1 PURPOSE The Navajo County Information Technology (IT) Policy is established to ensure that information systems and financial data are adequately safeguarded. Secure systems and data are achieved through the establishment of general and application controls. General controls apply to all IT functions and should achieve the following objectives: A. Effective management of IT resources. B. Adequate segregation of duties and responsibilities. C. Identification of hardware or system software malfunctions. D. Prevention of accidental record destruction. E. Restriction of access to IT resources, such as equipment, files, programs, documentation, and telecommunications. F. Effective systems and programs to prohibit unauthorized program change. G. Detection or prevention of accidental errors occurring during processing. H. Development and modification of IT-based accounting systems according to management and user reporting requirements. I. Consistent and reliable operation of the IT function. J. Adequate documentation and control of systems, programs, and instructions. Application controls are categorized as input, processing, and output controls and should achieve the following objectives: A. Maintain an adequate audit trail so transactions can be traced from inception to final disposition through the IT process and vice versa. B. Input date is appropriately authorized. C. Transactions are recorded accurately on the computer files. D. Data on files remains correct and current over an extended period. E. Computer-generated output is reconciled, checked for validity, and distributed to the appropriate recipients.

3 To properly prepare for a disaster policies and procedures should include the following: A. Formally assign disaster recovery coordinators from applicable departments to form a disaster recovery team. B. Require the creation and preservation of back-up data. C. Make provisions for the alternative processing of data following a disaster. D. Provide detailed procedures for restoring data files. E. Establish guidelines for the immediate aftermath of a disaster AUTHORIZATION A. Ensure security over computer systems and the data they contain to prevent or detect unauthorized use, damage, loss, or modification of programs, and misuse of information. 1. Limit logical access to authorized users of the County systems. 2. Use a standardized access request form for approval for access to the systems, and retain all access request forms with the supervisor s approval. 3. Eliminate access to computer systems promptly when an employee separates employment with the County. 4. Require users to change passwords at regular intervals, e.g., every 3 months, and to set passwords that include special characters and minimum length. 5. System controls to lock out users after more than three failed access attempts INTERNAL CONTROLS A. Internal controls support IT activities and help Navajo County to achieve the following objectives: 1. Effective management of computer resources. 2. Adequate segregation of duties and responsibilities. 3. Identification of hardware and system software malfunctions.

4 4. Restriction of access to IT resources, such as equipment, data, programs, documentation, and communication systems. 5. Effective systems and programs to prohibit unauthorized program change. 6. Adequate documentation and control of systems, programs, and instructions. 7. A periodic review of user access is conducted to ensure segregation of duties. 8. Elevated access as related to job duties is monitored electronically on an ongoing basis. B. Organization and operation controls provide segregation of functions, duties, and responsibilities so that no one individual performs incompatible duties. C. Navajo County has controls for the development and modification of each application system. IT systems are developed or modified according to management and user requirements. Requirements for systems development involve: 1. User representatives and designated management employees evaluate proposed systems at critical stages. 2. Segregation of duties for: a. Developing, implementing changes and testing. b. Authorizing and approving changes. 3. IT personnel will obtain final approval from users before placing a system into operation. 4. IT will establish procedures to authorize, test, implement, and document program changes after implementing the system to maintain its integrity. D. Maintain hardware and system software controls to identify malfunctions that occur in both the hardware and software. E. Access controls provide safeguards that allow only those individuals designed by management to use hardware, files, or programs. 1. Access to production data and program files will be controlled and limited where possible.

5 2. Management will limit computer hardware access to operators and assign hardware to specific employees. This data is maintained and verified in accordance with the capital asset policy 3. Access to hardware, files, and programs is limited and monitored through the following safeguards: a. Physical Security Devices b. Logical Security Techniques F. Data and procedural controls provide a framework for controlling daily operations and establishing safeguards against processing errors. 1. Written documentation of the various IT systems is maintained for users as applicable. 2. IT functions are reviewed and tested periodically to monitor the effectiveness of data and procedural controls. G. Contingency planning controls are designed to safeguard against the accidental loss or destruction of records, and to prevent interruption of IT operations. 1. Backup controls. Files, programs, and documentation are physically safeguarded by maintaining backup copies in an off-site storage facility. 2. Environmental controls. The storage site will be protected against safety hazards and environmental damage, as well as unauthorized access. 3. Disaster recovery controls. Navajo County has outlined disaster recovery controls extensively in the Information Technology Disaster Recovery Plan, a section in the Emergency Operations Plan COMPUTER RESOURCES A. The following general controls are implemented for personal computers, laptops, and tablets. 1. Physical security. In a personal computer environment, personal computers and equipment should be adequately protected against theft, unauthorized use, and environmental hazards. 2. Backup and recovery. Data files are mirrored daily so that at least a second copy is available for processing if the original file is lost or

6 destroyed. Backup copies of critical data files are stored in safe locations that are secure from hazards, such as fire or extreme heat. B. Virus Prevention and Detection The IT Department routinely evaluates network security and attempts to identify potential areas that are susceptible to threats NETWORK/SYSTSEMS ACCESS Network/systems access is requested, approved and granted through a formal process using the Systems Access Request Form in the appendix of this manual. This process applies to new employees or changes to access for existing employees DISASTER RECOVERY PLAN (DRP) A. Purpose. Governments provide many essential services to their citizens. The disruption of these services following a disaster could result in a significant harm or inconvenience to those whom government serves. State and local government have a duty to ensure that disruptions in the provision of essential services are minimized following a disaster. 1. Risk Assessment. All County systems are essential but are prioritized in the event of a disaster recovery. 2. Applicability. The Disaster Recovery Plan covers all essential and critical infrastructure elements, systems and networks. 3. Testing. The DRP is periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed. 4. Communication. All staff must be made aware of the disaster recovery plan and their own respective roles. Copies of the DRP are distributed to appropriate personnel. A copy is kept electronically at the Alternate Data Center. B. Objectives. The principal objective of the disaster recovery program is to develop, test and document a well-structured and easily understood plan which will help the county recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following: 1. The need to ensure that all employees fully understand their duties in implementing such a plan. 2. The need to ensure that operational policies are adhered to within all planned activities.

7 3. The need to ensure that proposed contingency arrangements are costeffective. 4. The need to consider implications on other county sites. C. Disaster recovery capabilities as applicable to key customers, vendors and others. Key Personnel Contact Info and the notification list are documented in the Emergency Operations Plan (EOC). D. Plan Updating. It is necessary for the DRP updating process to be properly structured and controlled. Whenever changes are made to the plan they are to be fully tested and appropriate amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the IT Director. E. Backup Strategy. Navajo County has a fully mirrored recovery site at a remote location. The site is a fully mirrored duplicate site which will enable instantaneous switching between the live site (Holbrook Complex) and the remote backup site. F. Emergency Response. 1. Plan Triggering Events. In the event of the primary facility and/or normal operations failure the disaster recovery plan will be activated 2. Assembly Points. Where the premises need to be evacuated, the alternate data center is the assemble point G. Exercising/Testing. Plan exercising ensures that emergency teams are familiar with their assignments and that systems can be restored as planned. Random periodic testing of systems is performed and results of the testing are documented electronically.